COMPANY AND CULTURE
Managing and Sharing Passwords in Teams (while Keeping your Peace of Mind)
When I see my friends and family (hi Mom, hi Dad!) typing passwords instead of using a password manager, I always get an uneasy feeling. But when my fellow team members at K15t Software do it, I feel especially uncomfortable – because we simply cannot compromise our company security.
After introducing 1Password, a password manager, at K15t Software a couple of years ago, it has become part of our standard toolkit. Of course, sometimes new team members need to be reminded to store all their passwords in 1Password, but as soon as they know how to access passwords in their browser and on their mobile device, they're onboard. So, nobody at K15t Software remembers (or types) passwords anymore: except for the master password.
Even though 1Password worked well for us, we ran into a couple of problems – especially when it came to sharing team passwords, or dealing with 1Password's Linux incompatibility. Luckily, AgileBits – the company behind 1Password – recently released 1Password for Teams, solving almost all of our problems.
In this article, I want to share how 1Password helps the K15t team manage and share passwords.
The Inevitable Shared Password
There are some general rules for creating and managing passwords in teams. One of them is: don't share passwords. Just don't. Once multiple people have access to the same account, it is impossible to know who exactly used it or when. Despite this, companies (including us) often have to deal with shared passwords.
Why? Because many cloud services and shopping sites don't offer sophisticated user management, making shared passwords a necessity. Our back office team, for example, has to use a shared password for our Amazon account to manage purchases and our marketing team also has to share passwords to manage some of our social media accounts.
Before 1Password for Teams was released, we used 1Password's vaults, storing each one in a separate Dropbox folder. To share the passwords within a certain vault, we had to share the corresponding Dropbox folder. However, this had some drawbacks:
- When managing 1Password vaults in Dropbox folders, permissions could only be set through the Dropbox folder.
- Shared vaults required a password, which in turn had to be shared among users.
- After a team member had added a shared vault locally, there was no way of easily removing it. You had to revoke their viewing/writing permissions in the shared Dropbox folder and you had to physically sit down with them in front of their computer to delete the shared vault from their 1Password installation.
- Team members could easily copy passwords from one vault into another, which lead to a lot of duplicate (and obsolete) entries. In one case, one of our team members accidentally copied all of their personal vault entries into a shared vault – ouch!
- As everyone had writing permissions for the shared Dropbox folders, there was always a chance of having conflicting versions.
- There was no version of 1Password for Linux users.
Thankfully, 1 Password for Teams has been released and it solves almost all of the problems mentioned above.
Organize passwords into vaults to easily manage who has access to which passwords.
1Password for Teams
Using a password manager in general is a step in the right direction. Using a password manager built for teams took us (and can take you) a step further: 1Password for Teams remains simple to use while adding fine-grained management features that enable us to collaborate better and more safely.
Once set up, 1Password is very easy to use, which is absolutely necessary if you want to get all team members onboard. For example, all it takes to log into 1Password's web app is one shortcut: Command-\. Even on mobile devices, it's easy to fill out a login form (Touch ID integration on iOS FTW!). The only missing piece is a proper Linux client – but at least the web UI is pretty good, allowing the few Linux users we have to copy/paste passwords into login fields.
The fine-grained permission control of 1Password for Teams makes it easy to manage shared passwords. Because of these controls, everyone on our team can now create and update passwords, or move them to the trash. However, only administrators can move items in and out of vaults, and empty the trash. This means that passwords are less likely to be lost by accident. 1Password for Teams also features a password recovery process (in case a team member loses their credentials) and an audit log that documents what changes were made by which users.
Finally, the security concept behind this tool is very sophisticated: 1Password for Teams combines an account key with a master password allowing for much stronger encryption. In order to maintain the password manager's usability, the unencrypted account key is stored on the user's personal device to authenticate it, while the master password is used to unlock vaults. That being said, both the account key and master password are strictly kept on the device, never being transmitted. This means that even if 1Password's servers are compromised or someone intercepts the SSL communication, they will only be able to acquire strongly encrypted data. (This is the short version: for more details, you can also review 1Password's Security White Paper which even convinced our IT security experts).
Not only can you store all of your passwords in 1Password, it can also generate passwords for you.
Don't Forget the Weakest Link
Using a password manager such as 1Password for Teams allows us to safely share and manage our team's passwords. Nonetheless, it is crucial to make the weakest link – the individual user – stronger. In order for password security to work, every team member has to use the same password manager for all passwords. It is also prudent to educate team members on how 1Password for Teams works. Security will improve if people know how to safely store the recovery kit, to separate personal passwords from work passwords, and to only sign in from trusted devices. 1Password provides a checklist you can use to educate your team. Your team members should also know the significance of a strong master password and how to choose or generate one.
Choosing a strong master password is especially important. Check out AgileBits' advice on memorizable passphrases, as well as Bruce Schneider's article on choosing good passwords (it also explains how passwords are hacked).
Password security is paramount at a time when almost every company stores vital information and documents online. A password manager such as 1Password for Teams can help companies build a strong security infrastructure – it certainly improved ours.